1. Your Botnet is My Botnet: Analysis of a Botnet Takeover
Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna
Presented by Ryan Genato

2. Overview Introduction to Botnets, Torpig
Domain Flux and “Your Botnet is My Botnet”
Analysis of Torpig Network
What Do You Do With 70,000 Computers?
Conclusions and Future Work

3. Introduction – Terminology
Bot – An application that performs some action or set of actions on behalf of a remote controller
Botnet – A network of infection machines controlled by a malicious entity
Command and Control (C&C) Channel – Used to send commands to bots, and obtain results and status messages
Respectfully lifted from Kemmerer’s presentation of the paper, a 2009 Google Tech Talk

4. Introduction – Mebroot
Rootkit distributed by Neosploit exploit kit
Spread via drive-by-downloads: hidden iframe on website executes obfuscated JavaScript to download Mebroot on victim’s machine
Mebroot overwrites the master boot record of the machine, circumventing most anti- virus tools (back then)
Neosploit – a exploit toolkit similar to Zeus or Zbot. Essentially allowed customization over different malware deployments, with different deliverables. “Script kiddie” level ease and customization that they charged $$$ for – Torpig being one of their many clients.

5. Introduction – Torpig
Once Mebroot has taken hold it loads the Torpig modules from Mebroot C&C server
Torpig contacts its own C&C server for updates and to send victim information

6. Introduction – Torpig What kind of information does Torpig record?
Monitoring popular applications
“Man-in-the-browser” attacks
31 applications were targeted, including the Service Control Manager, web browsers, FTP clients, clients, instant messengers, and system programs (cmd.exe)
Man in the browser attacks would start by waiting for the victim to navigate to a website found in the configuration file, and then inject HTML onto the target page that would ask the user for sensitive information. But because it would be injected onto a legitimate page, it is hard to detect and many users would simply enter in the data. A funny story that was reported is that with PayPal, users would volunteer their sensitive information AND THEN send an to PayPal asking, “didn’t I already give you this information?”

7. Introduction – Domain Flux
Correspondence with C&C server is achieved through domain flux – using a domain generation algorithm to “rotate” through rendezvous points
Advantages:
No single point of failure (fast flux)
Robustness
Disadvantages
Deterministic (this implementation)
If someone can reverse engineer your DGA, they can anticipate future domain addresses…
Fast flux had bots connecting to a single domain address, which was useful in that the domain could be mapped to a set of IP addresses, but was still a single point of failure.

8. Your Botnet Is My Botnet
And that’s exactly what they did!
Reverse engineering the DGA came up with a three week span of unregistered domains
Buy the domains, act as the C&C center, hijack the entire botnet (sinkholing)
Contrast to passive analysis and previous active analysis attempts

9. Gathering Data The C&C center hijack lasted for ten days
What happened to the three weeks of domains?
A couple numbers:
Observed a total of 182,800 peers on the Torpig botnet, 70,000 at peak activity
Recorded 1,247,642 unique IP addresses
Logged 8,310 accounts from 410 institutions
1,660 credit cards
After ten days, a new Mebroot binary was distributed that included an updated DGA for Torpig. The reason why this worked was because the team at UCSB only hijacked the Torpig C&C center. The Mebroot DGA had not yet been cracked, and so the criminals still had control of Mebroot and were able to regain control of the botnet. Why they took ten days? Maybe to figure out who was hijacking them.

10. Data Analysis + Handling
173,686 unique passwords recorded, 40% cracked in less than 75 minutes
28% of users exhibited password reuse
Working with FBI and National Cyber- Forensics to repatriate the stolen information
Need a reputable organization to work things out

11. What Do You Do With 70,000 Computers?
Take down the government!
70,000 users, average 435 kbps (in 2008) = 17 Gbps
5,635 users to take down fbi.gov and justice.gov
10 Gbps to take down Wikileaks
Distributed password cracking

12. Conclusions and Future Work
Victims of botnets pick easy to crack passwords
Better user education, higher password standards
Botnets operating with an HTTP C&C center can be hijacked for periods of time
There is no “off” switch
Improved domain generation algorithms (top Twitter)
When the team at UCSB was removed of their control of the Torpig network, it was because the DGA they had reverse engineered had been replaced by a new algorithm. It was later found that this algorithm used the daily top Twitter comment in its calculating of the next domain, making the DGA non-deterministic. Torpig went through a series of new DGAs as the old ones got cracked, which illustrates the constant struggle between attackers and defenders.

13. Works Referenced
Chen, Adrian. "The Evil New Tactic Behind Anonymous' Massive Megaupload Revenge Attack." Gawker. N.p., 19 Jan Web. 23 Jan
Greulich, Andreas. "Torpig/Mebroot Reverse Code Engineering." . N.p., 18 Apr Web. 23 Jan
Howard, Rick. Cyber Fraud: Tactics, Techniques and Procedures. N.p.: Auerbach Publications, 2009.
Kemmerer, Richard A. "How to Steal a Botnet and What Can Happen When You Do ." YouTube. N.p., n.d. Web. 23 Jan <
Richard, Matt, and Michael Ligh. "making fun of your malware." Defcon 17. N.p., n.d. Web. 23 Jan
Stone-Gross, Brett, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, and Martin Szydlowski. "Your botnet is my botnet: Analysis of a botnet takeover." Proceedings of the 16th ACM conference on Computer and communications security. N.p.: ACM,
Vaughn-Nichols, Stephen J. "DDoS: How to take down WikiLeaks, MasterCard or any other Web site." ZDNet. N.p., 9 Dec Web. 23 Jan

14. Questions?